HIPAA & Law Firm Liability
Understanding HIPAA Compliance For Law Firms
Third-Party Service Providers & Law Firm LiabilityLaw firms routinely work with sensitive information and it's common practice to implement security procedures to guard said information. Preventing unwanted exposure of sensitive information or data protects a firm’s clients, the firm’s reputation, and ultimately their business. When it comes to personal health information, however, firms can unknowingly be exposed to financial risks not because of their security policies but because of the policies used by outsourced service providers. Working with reputable third-party service providers and understanding their policies and practices helps firms reduce their liability and maintain their reputation.
In this whitepaper we explore HIPAA and how it applies to law firms, how third-party service providers can lead firms to become liable under HIPAA, and finally best practices law firms can act on to protect themselves from violations and penalties.
Included in this whitepaper
HIPAA Background Information
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created national standards protecting confidential health information from being disclosed without patient consent. With the passage of HITECH in 2009, law firms working on behalf of covered entities are now required to implement the same privacy and security requirements as the covered entities they serve.
HIPAA & Subcontractors
The HIPAA Omnibus Rule of January 2013 clarified requirements and made business associates of covered entities, as well as their subcontractors, directly liable for compliance with HIPAA’s Privacy and Security rules. This change increases firms’ exposure to HIPAA penalties by making them potentially liable for breaches caused by any outside service provider that handles PHI.
How Law Firms Become Liable Under HIPAA
With the expansion of HIPAA, business associates (law firms) became directly liable for violations. In this section we examine Business Associate Agreements (BAA) and how if not implemented correctly, law firms can be liable for service provider violations.
Penalties for violating HIPAA result in substantial fines ranging from only $100 to $1.5 million. We examine the four tiers for HIPAA violations, the difference between them and the penalties for each.
Vetting Service Providers
Law firms that do not thoroughly do their due diligence can be held liable for PHI breaches resulting from their service providers. In this final chapter, we define how to perform proper due diligence and which questions to keep in mind when vetting a service provider.